CVE-2026-35195

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1

Description Wasmtime's implementation of transcoding strings between components has a flaw where the return value of a guest component's realloc function is not validated before the host writes through the pointer. This allows a guest to potentially cause the host to write arbitrary transcoded string bytes to an arbitrary location in memory. These writes could result in the host hitting unmapped memory or corrupting host data structures, depending on Wasmtime's configuration. Wasmtime typically reserves 4GiB of virtual memory for a guest, which by default will cause the host to abort due to an unhandled fault. However, configurations allowing less memory reservation or removal of guard pages may lead to corruption of data outside the guest's linear memory.

Recommendations Update to Wasmtime version 24.0.7 or later. Update to Wasmtime version 36.0.7 or later. Update to Wasmtime version 42.0.2 or later. Update to Wasmtime version 43.0.1 or later.